Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: Please treat advertising from beyond.com with extreme caution

April 16th 2009 in Uncategorized

image   image

Note: the malicious SWF has been reported to beyond.com.

 

Beyond.com is displaying a malicious advertisement with this URL:
ads.beyond.com/banners/jobfox_468x60.swf

 

Adopstools test results for jobfox_468x60.swf:
http://www.adopstools.com/index.asp?section=quicklink&id=4K57pJYUj1f874Sr

"The file has a sprite/movieclip which is containing Malware actionScript code."

 

The malicious advertisement uses MovieClip.getURL to load the following URL:
measurehits.com/?cmpid=<<redacted>>

 

The measurehits.com URL redirects victims the following URL:

crustat.com/ts/in.cgi?<<redacted>>

 

Which redirects to one of several URLs:

truconv.com/?<<redacted>>
olinredr2.com/?<<redacted>>
traff-direct.com/?<<redacted>>

 

Then to domains such as:

go-uniq.com/in.cgi?<<redacted>>
top-name.cn/in.cgi?<<redacted>>
pyani.com/in.cgi?<<redacted>>

 

Eventually the victim ends up at one of several fraudware URLs, including:

removespywarethreats.com/<<redacted>>
desktoprepairpackage.com/<<redacted>>
pcantimalwaresolution.com/<<redacted>>
total-virusprotection.com/<<redacted>>
offer-provider.com/<<redacted>>


Comments are closed.

Reported to checkm8.com over 9 hours ago. Checkm8.com is serving several malicious advertisements that hijack web site visitors and redirect them to various fraudware web sites as follows. logiagroup.checkm8.com/data/478089/HP_728x90.swf logiagroup.checkm8.com/data/478091/HP_468x60.swf logiagroup.checkm8.com/data/479231/HP_300x250.swf logiagroup.checkm8.com/data/479237/HP_728x90.swf SWF analysis via Adopstools: adopstools.com/index.asp?section=quicklink&id=950rk4Ik9bh3WaWF […]

Previous Entry

   
Note, the malvertizement was reported to “kraz”, who is apparently responsible for advertising on the letssingit.com web site, a couple of days ago via the “Advertise on letssingit” contact form.  The advertisement was immediately removed.
letssingit.com is hosting a malicious advertising featuring SWATCH as per this URL: includes.letssingit.com/ads/SWATCH300x250.swf
Adopstools check: http://www.adopstools.net/index.asp?section=quicklink&id=8973swVapP174q1A
The malvert hits […]

Next Entry

Archives